HIBP

The site haveibeenpwned.com lists (for everyone to see) addresses that have appeared in hacks, as well as all passwords that have appeared, but not together for security reasons.

There are also similar services in the academic environment:
Hasso Platter Institute/University of Potsdam
identity leak checker/Uni Bonn.

If an address is listed there, it does not mean that you have done anything wrong, but only that a provider where you have deposited your email address (e. g. as username or as contact address) has been "hacked" - this can sometimes be some time ago. It may even be that another person has entered your address, e. g. as a username.
Pwned was created by a typo from owned and stands here for "caught".
If we get to know about new entries in this database (we get infos about the domains @sbox.tugraz.at, @student.tugraz.at and @tugraz.at), we inform (semi-automatically) the affected users.

What to do?
  1. Check all your email addresses and usernames on the page haveibeenpwned.com.
  2. If there are also passwords under Compromised data, then apply:
    • If you have not changed your password for the affected service (if that is specified) for a while, then that would be a reason to change it now.
    • If you have set the same password in TUGRAZonline as for the affected service (that is not allowed) and have not changed the password in TUGRAZonline in the meantime, then the TUGRAZonline password must also be changed!
      Reason: From your TUGRAZonline email address and password it is relatively easy to get to your user name and then an attacker knows your access data (user name and password).
    • If you have used the same password in other systems, you should change it there too, but this time (and in the future) do not set it the same.
    We send warning emails to affected users only if passwords are explicitly mentioned in the hack.
  3. Attention: Check also if there is a "sensitive breach"!

If no password was affected by the hack or you do not use the TUGRAZonline password on other services or have already changed the TUGRAZonline password anyway, then at least the account at TU Graz should not be at risk, but there may be other consequences.

Example:
Here you can see that a ZID employee address (1) was affected (2) in a Dropbox hack in 2012 (3) and a LinkedIn hack in 2016 (4) and that unfortunately i passwords were affected (5):

This now means that the affected employee in Dropbox and LinkedIn should now urgently change the respective password - if he has not done so after 2012 or 2016, respectively.
Since the TU Graz password alone is not sufficient without the time-based 2nd factor in most systems, there is generally no direct need for action at TU Graz.

If your address appears under "Anti Public Combo List" (December 2016) or "Onliner Spambot" (August 2017) or "Exploit.In" (end of 2016), then unfortunately it is unknown which service exactly is affected.

Don't forget to search the non-public breaches as well:

In general, even for services where this is not enforced, you should change your password regularly and you should never use the same password for different services!
For services where you do not want it to be known that you are a customer, it is also advisable to use an email address that does not allow any inference to your name or your employer.

Firefox offers a similar service, where you can also register to be notified of the appearance of your email address: Firefox Monitor.